Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Why does Ambari set Headless Keytabs' permissions to 440? Isn't that a security risk?

Labels:
avatar
author-rank benhadoop
Expert Contributor

Created ‎06-24-2016 12:10 PM

Hey community,

during setting up Kerberos in an HDP 2.3.4 cluster with Ambari, I was wondering the following:

Why does Ambari set the linux permissions for headless keytabs (e.g /etc/security/keytabs/hdfs.headless.keytab) to 440 rather than 400?

I feel that this creates a security risk, as everyone in the hadoop group could impersonate hdfs and thus effectively work as superuser on the cluster. Or is the group "hadoop" supposed to be a super-protected group only used by Hadoop Service Accounts?

Hope you can clear this up for me.

Thanks, Benjamin

edit: It seems to be connected to AMBARI-13695, created by @Robert Levas

2,352 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank emaxwell author-rank
Guru

Created ‎06-24-2016 05:35 PM

@Benjamin R

The permissions of the keytabs are not all 440. Only some of them are (hdfs, hbase, ambari-qa, accumulo, and spnego). Those keytabs are used by other services than just the owner for testing connectivity, and other functions on startup. All of the other keytabs are only readable by the service account that owns the file. The group that owns the keytabs is the hadoop group, and should be reserved for service accounts. This will ensure the security of your cluster.

View solution in original post

1,715 Views
0 Kudos
6 REPLIES 6

avatar
author-rank rlevas
Guru

Created ‎06-24-2016 01:35 PM

@Benjamin R

I assume that reason the HDFS headless keytab file's permission 440 rather than 400 is to allow components (what execute under that same group) to use the keytab file in order to create their specific filesystem structures in HDFS during install. However, I am not totally sure.

When adding the feature of enabling Kerberos to Ambari, we intended to ensure similarity with older versions of Ambari where the process was manual - see Ambari 1.7.0 Security Guide - Creating Service Principals and Keytab Files for Hadoop 2.x. As part of that process, the HDFS headless keytab file was chmod-ed to 440.

At some point we want to investigate limiting the exposure of this keytab file (further than we have) by providing a registry so that services can declare what filesystem structure they need in HDFS. Then the HDFS service can create it on behalf of the service. This should allow for the HDFS headless keytab file to be distributed to only the hosts where a NameNode is installed and in turn the permission on the file can be set to 400.

1,715 Views

avatar
author-rank benhadoop
Expert Contributor

Created ‎06-24-2016 02:14 PM

Thank you for the insights! This sounds reasonable but still a bit risky.

If the initial creation the file structure is the only reason for the hdfs-keytab to be group-readable, I'm considering to change the permissions to 400 manually and re-change it to 440, when installing new components. This sounds more secure than beeing super-restless on securing the hadoop-group. Any thoughts on that approach?

1,715 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎06-24-2016 02:29 PM

@Benjamin R

That seems reasonable to me. I would be interested to hear if there are any ill effects by doing that. That would help with my proposal for the registry I mentioned.

1,715 Views
0 Kudos

avatar
author-rank benhadoop
Expert Contributor

Created ‎06-24-2016 02:50 PM

@Robert Levas

I just tried changing the permissions and restarting the cluster. As it turns out, some Ambari services rely on using that keytab with their user on every restart.

In particular: The WebHCat server does not start, failing to execute the following command:

Execute['/usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-mycluster@REALM.DE;'] {'path': ['/bin'], 'user': 'hcat'}

All other services appear to work correctly.

1,715 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎06-24-2016 06:23 PM

Thanks for the update. I am surprised that WebHCat was the only issue. I see in the scripts why that is happening, but I would imagine other services might follow the same pattern. However, maybe this is a bug in WebHCat and someone might need to investigate why the script does this.

1,715 Views
0 Kudos

avatar
author-rank emaxwell author-rank
Guru

Created ‎06-24-2016 05:35 PM

@Benjamin R

The permissions of the keytabs are not all 440. Only some of them are (hdfs, hbase, ambari-qa, accumulo, and spnego). Those keytabs are used by other services than just the owner for testing connectivity, and other functions on startup. All of the other keytabs are only readable by the service account that owns the file. The group that owns the keytabs is the hadoop group, and should be reserved for service accounts. This will ensure the security of your cluster.

1,716 Views
0 Kudos
webinar banner
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements
meetups banner